From 11f00d2fe91e0bd1c0368cdfa90b66c8088f39f8 Mon Sep 17 00:00:00 2001 From: index-git Date: Thu, 14 Dec 2023 15:12:17 +0100 Subject: [PATCH] Set JDBC role service as primary in GS --- CHANGELOG.md | 3 ++- doc/env-settings.md | 3 --- src/geoserver/role_service.py | 9 +++++++++ src/layman_settings.py | 14 ++++++++------ src/setup_geoserver.py | 5 ++++- 5 files changed, 23 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0789289d7..d2fbe6559 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ ``` It was already required in v1.22.3. - Set new environment variable [LAYMAN_ROLE_SERVICE_URI](doc/env-settings.md#LAYMAN_ROLE_SERVICE_URI) +- Stop using environment variable `LAYMAN_GS_ROLE_SERVICE`, it has no effect to Layman anymore. Role service called `layman_role_service` is used now. ### Migrations and checks #### Schema migrations - [#165](https://github.com/LayerManager/layman/issues/165) Add column `role_name` to table `rights` in prime DB schema. Add constraint that exactly one of columns `role_name` and `id_user` is not null. @@ -853,7 +854,7 @@ There is a critical bug in this release, posting new layer breaks Layman: https: - [#62](https://github.com/LayerManager/layman/issues/62) GeoServer [Proxy Base URL](https://docs.geoserver.org/2.21.x/en/user/configuration/globalsettings.html) is now automatically set on Layman's startup according to [LAYMAN_GS_PROXY_BASE_URL](https://github.com/LayerManager/layman/blob/v1.21.1/doc/env-settings.md#LAYMAN_GS_PROXY_BASE_URL). If you do not set the variable, value is calculated as [LAYMAN_CLIENT_PUBLIC_URL](doc/env-settings.md#LAYMAN_CLIENT_PUBLIC_URL)+[LAYMAN_GS_PATH](https://github.com/LayerManager/layman/blob/v1.21.1/doc/env-settings.md#LAYMAN_GS_PATH). If you set it to empty string, no change of Proxy Base URL will be done on GeoServer side. - [#83](https://github.com/LayerManager/layman/issues/89) All layers are created as `GEOMETRY` type, so any other type can be added (for example polygons can be added to points). - [#73](https://github.com/LayerManager/layman/issues/73) Layman users are automatically created on GeoServer (either at start up of Layman or when reserved) with separate role and workspace. Username is the same as in Layman, name of role is `"USER_"+username`, name of workspace is the same as username. Read and write permissions for workspace are set according to Layman's authorization (as of now read-everyone-write-everyone or read-everyone-write-owner). -- New environment variables [LAYMAN_GS_USER_GROUP_SERVICE](doc/env-settings.md#LAYMAN_GS_USER_GROUP_SERVICE) and [LAYMAN_GS_ROLE_SERVICE](doc/env-settings.md#LAYMAN_GS_ROLE_SERVICE) enable to control which user/group and role services are used at GeoServer. Not setting these variables means to use default services. +- New environment variables [LAYMAN_GS_USER_GROUP_SERVICE](doc/env-settings.md#LAYMAN_GS_USER_GROUP_SERVICE) and [LAYMAN_GS_ROLE_SERVICE](https://github.com/LayerManager/layman/blob/v1.22.0/doc/env-settings.md#LAYMAN_GS_ROLE_SERVICE) enable to control which user/group and role services are used at GeoServer. Not setting these variables means to use default services. - [#69](https://github.com/LayerManager/layman/issues/69) Three separate identical settings files (`layman_settings_demo.py`, `layman_settings_dev.py`, `layman_settings_test.py`) were merged into one file `layman_settings.py`. - If username used in REST API request path is not yet reserved, HTTP requests other than POST returns (e.g. GET) HTTP error 404 (Layman code 40). Previously in case of GET request, empty list was returned. - List of GeoServer reserved workspace names was moved from `layman_settings.py` into source code (`src\layman\common\geoserver\__init__.py`) diff --git a/doc/env-settings.md b/doc/env-settings.md index 4736f701e..dcbac4e9a 100644 --- a/doc/env-settings.md +++ b/doc/env-settings.md @@ -176,9 +176,6 @@ Name of [GeoServer role](https://docs.geoserver.org/2.21.x/en/user/security/weba ### LAYMAN_GS_USER_GROUP_SERVICE Name of [user/group service](https://docs.geoserver.org/2.21.x/en/user/security/usergrouprole/usergroupservices.html) used for managing users at GeoServer. If not set (default), the service named `default` is chosen. Usually it's [XML user/group service](https://docs.geoserver.org/2.21.x/en/user/security/usergrouprole/usergroupservices.html#xml-user-group-service). -### LAYMAN_GS_ROLE_SERVICE -Name of [role service](https://docs.geoserver.org/2.21.x/en/user/security/usergrouprole/roleservices.html) used for managing roles and user-role associations at GeoServer. If not set (default), the service named `default` is chosen. Usually it's [XML user/group service](https://docs.geoserver.org/2.21.x/en/user/security/usergrouprole/roleservices.html#xml-role-service). - ### LAYMAN_GS_AUTHN_HTTP_HEADER_ATTRIBUTE Secret value of [GeoServer HTTP authentication request header attribute](https://docs.geoserver.org/2.21.x/en/user/security/tutorials/httpheaderproxy/index.html) used for WFS proxy. Only combination of lowercase characters and numbers must be used for the value. If you change an existing value, you have to change it also in GeoServer GUI manually. diff --git a/src/geoserver/role_service.py b/src/geoserver/role_service.py index cdf633137..e8fc9038f 100644 --- a/src/geoserver/role_service.py +++ b/src/geoserver/role_service.py @@ -6,6 +6,7 @@ from xml.sax.saxutils import escape from requests_util import url_util +from . import authn logger = logging.getLogger(__name__) logging.basicConfig(stream=sys.stdout, level=logging.DEBUG) @@ -50,3 +51,11 @@ def setup_jdbc_role_service(data_dir, service_url, role_service_name, db_schema) file.write(rolesdml_content.format( schema=escape(db_schema), )) + + +def set_primary_role_service(data_dir, role_service_name): + security_xml = authn.get_security(data_dir) + element = security_xml.find('roleServiceName') + element.text = role_service_name + security_path = os.path.join(data_dir, 'security/config.xml') + security_xml.write(security_path) diff --git a/src/layman_settings.py b/src/layman_settings.py index 6938151df..e5408af21 100644 --- a/src/layman_settings.py +++ b/src/layman_settings.py @@ -105,9 +105,16 @@ class EnumWfsWmsStatus(Enum): GEOSERVER_ADMIN_PASSWORD) GEOSERVER_DATADIR = '/geoserver/data_dir' GEOSERVER_INITIAL_DATADIR = '/geoserver/initial_data_dir' -LAYMAN_GS_ROLE_SERVICE = os.getenv('LAYMAN_GS_ROLE_SERVICE', '') or 'default' + +LAYMAN_GS_ROLE_SERVICE = 'layman_role_service' +# Name of schema, where Layman maintains internal GS JDBC Role Service. +LAYMAN_INTERNAL_ROLE_SERVICE_SCHEMA = '_role_service' +LAYMAN_ROLE_SERVICE_URI = os.environ['LAYMAN_ROLE_SERVICE_URI'] +LAYMAN_ROLE_SERVICE_SCHEMA = parse_qs(urlparse(LAYMAN_ROLE_SERVICE_URI).query)['schema'][0] + LAYMAN_GS_USER_GROUP_SERVICE = os.getenv('LAYMAN_GS_USER_GROUP_SERVICE', '') or 'default' + LAYMAN_GS_USER = os.environ['LAYMAN_GS_USER'] LAYMAN_GS_PASSWORD = os.environ['LAYMAN_GS_PASSWORD'] LAYMAN_GS_AUTH = (LAYMAN_GS_USER, LAYMAN_GS_PASSWORD) @@ -224,11 +231,6 @@ class EnumWfsWmsStatus(Enum): if RIGHTS_EVERYONE_ROLE not in GRANT_PUBLISH_IN_PUBLIC_WORKSPACE: assert not GRANT_CREATE_PUBLIC_WORKSPACE.difference(GRANT_PUBLISH_IN_PUBLIC_WORKSPACE) -# Name of schema, where Layman maintains internal GS JDBC Role Service. -LAYMAN_INTERNAL_ROLE_SERVICE_SCHEMA = '_role_service' -LAYMAN_ROLE_SERVICE_URI = os.environ['LAYMAN_ROLE_SERVICE_URI'] -LAYMAN_ROLE_SERVICE_SCHEMA = parse_qs(urlparse(LAYMAN_ROLE_SERVICE_URI).query)['schema'][0] - # UPLOAD_MAX_INACTIVITY_TIME = 10 # 10 seconds UPLOAD_MAX_INACTIVITY_TIME = 5 * 60 # 5 minutes diff --git a/src/setup_geoserver.py b/src/setup_geoserver.py index b95362103..74e963d66 100644 --- a/src/setup_geoserver.py +++ b/src/setup_geoserver.py @@ -78,9 +78,12 @@ def main(): ensure_jdbc_role_service_internal_schema() role_service.setup_jdbc_role_service(settings.GEOSERVER_DATADIR, settings.LAYMAN_ROLE_SERVICE_URI, - 'layman_role_service', + settings.LAYMAN_GS_ROLE_SERVICE, settings.LAYMAN_ROLE_SERVICE_SCHEMA, ) + role_service.set_primary_role_service(settings.GEOSERVER_DATADIR, + settings.LAYMAN_GS_ROLE_SERVICE, + ) epsg_properties.setup_epsg(settings.GEOSERVER_DATADIR, set(settings.LAYMAN_OUTPUT_SRS_LIST))